is it a security hole in Mandrake 9.1???
Results 1 to 4 of 4

Thread: is it a security hole in Mandrake 9.1???

  1. #1

    is it a security hole in Mandrake 9.1???

    when u are logged on as a normal user.............click on a rpm file that is to be installed.it askes for root password......after installation click on any other rpm that is to be installed and it gopes on smoothely without a password..............that is once root authenticates himself with the grpmi he remains authenticated for the whole session??

    do u think it a security problem??? i suppose though not too serious it a security flaw and should be corrected....

    i have posted the same on mandrake security list.

  2. #2
    Banned
    Join Date
    Apr 2003
    Posts
    13
    security holes are teh suk. you might as well report it, give those hardcore coders some more work.

    although; if a user authenticates, they usually *are* root.. so it isnt really a hole unless they forget to log off, and the computer is public. users that forget to log off on public computers are teh suk.

  3. #3
    Senior Member
    Join Date
    Aug 2001
    Posts
    251
    Have you installed a rpm then done something else for a couple minutes and then tried?
    I don't know specifically for Mandrake or any other Linux's for that matter, but it would seem that if you were installing many rpm's in one session, it would be handy if you didn't have to authenticate for everyone. So that if you installed a couple and then got a cup of coffee and came back it would timeout and you'd have to re-enter the root pass.

    I only suggest this because that is how I have found sudo to operate, and so maybe that is what the case is.

    And like ownage said, this would only really be a problem if you left your computer logged in..., something that if ou are concerned with security you wouldn't be doing anyway.

    Dhej
    The owl of Minerva spreads its wings only with the falling of dusk. -Hegel

  4. #4
    Senior Member
    Join Date
    Mar 2003
    Location
    central il
    Posts
    1,779
    The RPM manager runs with the root context after you install the first RPM, if you where to close the RPM manager then reopen it and try to install an RPM it would ask you for root again. Not really a security issue and more then su or sudo are...unless you routinely walk away from a publicly accessible system with root logged in, but thatís a security problem with the operator not the system.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •